Contents

Chapter Description

This chapter provides and overview of WAN/branch deployment and also covers WAN/branch IPv6 deployment considerations, WAN/branch deployment over native IPv6, and includes an example of WAN/branch implementation.

From the Book

WAN/Branch Deployment over Native IPv6

At the time of this writing, it is rare for an enterprise to have full end-to-end reachability over native IPv6 from a branch site to a WAN head-end. As more and more service providers deploy IPv6 services to their customers, the enterprise can use IPv6 as the means of transporting encrypted IPv6 traffic between sites and leave behind the IPv6-in-IPv4 encrypted tunnel deployments that have been discussed in this chapter thus far.

Cisco supports the deployment of IPsec over IPv6 in Cisco IOS. The following section provides a basic configuration example of how to deploy IPsec over IPv6 on Cisco IOS between two routers.

Figure 8-6 shows a network topology of two routers connected to the Internet through IPv6. In this case, the routers are not running dual-stack (IPv4 and IPv6) but they could be; instead they are IPv6-only routers with IPv6-only devices attached.

The configuration is straightforward and closely resembles that of a point-to-point IPsec configuration over IPv4. The differences are mostly with the addressing for the interfaces.

Example 8-13 shows the basic configuration on the HQ-1 router. The Internet security association and key management protocol (ISAKMP) and IPsec policy information is the same as what was used in the HBE discussed earlier. The difference comes in the tunnel configuration. The tunnel source and destination are now IPv6 addresses instead of IPv4, as shown previously. Also, the tunnel mode is now using IPsec over IPv6 transport. Finally, the serial interface has an IPv6 address that is used for the connection to the IPv6-enabled ISP. Unicast Reverse Path Forwarding (uRPF) is enabled to help with spoofing. In a production deployment, there would be a set of ACLs used to enable only certain protocols and source/destinations (between branch and HQ) ingress on the serial interface.